Any time you connect to a new host via SSH, you get a message asking you to verify the authenticity of the host.
The authenticity of host 'ociaw.com (22.214.171.124)' can't be established. ED25519 key fingerprint is SHA256:2t1SyRaE55f2FkBIsVVTMOuyTjIHkD+U9hToqjIagV4. Are you sure you want to continue connecting (yes/no/[fingerprint])?
The proper way to calculate this fingerprint is to run
ssh-keygen -l on the host. For example:
# Determine the fingerprint of the RSA host key ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub # Determine the fingerprint of the ED25519 host key ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub # Determine the fingerprint of the ECDSA host key ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
You can then compare the result of
ssh-keygen to the host fingerprint. If they match, everything is good and you can safely type "yes". If they don't, something is wrong, and you must not continue connecting until you determine what the issue is and resolve it.
Why is this necessary?
It's necessary to verify that the fingerprint is correct to ensure that you're connecting to the correct server, otherwise you could be a victim of a man-in-the-middle attack. Unfortunately, many tutorials breeze past this, telling you to either blindly say yes or to use
ssh-keyscan, which is still vulnerable to interception.
It's often hard to find the host keys of public services, if they're available at all. I'm tired of trying to dig them up each time I connect from a new computer, so below is a list of known host keys and fingerprints for public services. I'll attempt to keep this list updated, but I don't guarantee it.